Analysis
-
max time kernel
125s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
01-01-2024 15:27
General
-
Target
6a637e90e0673ee6090cc4fb47d82ab87ae7d26ffcff7a7dcafd4da167aea8bc.exe
-
Size
30KB
-
MD5
c2f261985677515ab220983bccfc1bee
-
SHA1
21e324d2c8bd664a080c8fecbcd118ee040bb628
-
SHA256
6a637e90e0673ee6090cc4fb47d82ab87ae7d26ffcff7a7dcafd4da167aea8bc
-
SHA512
62066d26fdf71cd69903855ee569ae75ae520976ade784eaeb100d98c74a6b965abe371b9f14fc41a09e1a28b803dca13533b989d643ef21939ba6366cb029b8
-
SSDEEP
768:jpiSqw4KqMqwZU/Tf+5g51qWMg6FU2btWLVkn:jeZqoTfwg5HMxpRWLVkn
Malware Config
Extracted
C:\Users\Admin\Pictures\0_HELP_DECRYPT_FILES.html
15mA1ea42KSRpjYDiEJYjrHCjjMp3Cq3SG
http://blockchain.info</h3>
Extracted
C:\Users\Admin\Documents\0_HELP_DECRYPT_FILES.txt
15mA1ea42KSRpjYDiEJYjrHCjjMp3Cq3SG
http://blockchain.info
https://buy.bitcoin.com/
Signatures
-
Renames multiple (200) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
-
Drops startup file 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 36 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a637e90e0673ee6090cc4fb47d82ab87ae7d26ffcff7a7dcafd4da167aea8bc.exe"C:\Users\Admin\AppData\Local\Temp\6a637e90e0673ee6090cc4fb47d82ab87ae7d26ffcff7a7dcafd4da167aea8bc.exe"1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" vssadmin.exe delete shadows /all / quiet2⤵
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\0_HELP_DECRYPT_FILES2.txt2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\0_HELP_DECRYPT_FILES.html2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1596 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del C:\Users\Admin\AppData\Local\Temp\6a637e90e0673ee6090cc4fb47d82ab87ae7d26ffcff7a7dcafd4da167aea8bc.exe2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344B
MD5a02bc664157e4e9fbe4d685861423cbb
SHA10c4f43ae15368a231e86eb5aff8231fbcdfa86c1
SHA256544c999c4353eb62ceb3b2a49feb4310aa3a7cbc1121759a01aee25f5955483e
SHA51260bdd5bd554d61ec5dd186f77cae0372dca2c2bea45849138b6d058ea300186ac3d86122839cc4416087ac222c43f5700295d764fbe047552cc3329b45e66697
-
Filesize
344B
MD5c2e1ffca856f89c757af4a21e6bb9499
SHA1adece43a5b5a7920b95d22660bcc689391b17b33
SHA2567d2e88e3f1435eea2bdcd45c46535aa5376d8b37349dc3da9b6d0cfa89f3d8b8
SHA51246197f154713736aeeac73bded2e7f0c7260d8b3ef84099fe27bb2a5f7642d94356f7401fa06c2d137946151500dccef97ddcb86c258037d6ea92801f75695ba
-
Filesize
344B
MD59ac03259a5acad60e22913fca530b614
SHA1c2adfa812520c33c9aa93c115d21bfc572a2e603
SHA25683473086aac93c3475343f5151927c68056266bab739cac3e47a7babb68579e7
SHA51286af505322e06329a7daa265759cf2f0a0271f3841a29b483bd7acd866b3d87e498e4dc04f79051ade293f793b55c88cadaa8db12edd3724943be51ff60ece9c
-
Filesize
344B
MD58cae5a611668e76a6f2a252ab56bfd5a
SHA16b179eebe294bca815530bdf4a950685600a7106
SHA256c3c5027d5b3ae386acc299dae09fd9cce238008358e9725db5b33cc22441211e
SHA51208dbf1aca9b5f188134dd1b2302accd218427aed265fe575643a814286306cf259fa44cc11b22d5775cbf7bf5f8a857c792a236a3160c6db9033ebcfc33f0632
-
Filesize
344B
MD5cfbc006398abc49639102590f264f778
SHA1d4be366dd49950bb44697716d474356d07a492e9
SHA256254bd068ad36f95fed8f3b20a815eea9191590d385f581b0529864a9f3ed4f2a
SHA512a07f2e00ca021fe6d7ca2cfd5e8ec866ab822fdbfe5c53585237039bce194e33e8e457ecdb6f3e31d59730a1bd4833399469026b3981cfa5a5b867f761b345e1
-
Filesize
344B
MD54c9c41a170d7d9841ea6ebffa9283a84
SHA1de51433d5f5ece1bb5f1045ae9371f199273ecb6
SHA256a5ba7ac4ed42085e75df840a92ec232dc6b3a56328205f46351a4b6a8ad03711
SHA512233eb93174ea7e5d85630bb99c5a60e14458fd3f4dbbbb3fa83e8578ba3ea46d75b62b4008f03209aff15563a77f112bfc093ec29d27169194eb653bb21746f2
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
48KB
MD59681da36b36f1735ca035e11bf78d8ed
SHA1f6317472df80d1b75b8d02dba1e5b44b139ad7d3
SHA2569a5cd2e27c2949209f7767aa2e2f684ae7401af187d7231db41df320f84625d2
SHA51235bbb23eb64cea5045b5847cc7a3decb684e957bc82dc44084c39e2991fd97b0a281f754b01720676298a877d224640af1f99631bae925395c96bff8aa05107b
-
Filesize
1KB
MD520f315c7493ef0efe00165c963307c5f
SHA11d0c252b44a3a600b208c42c27e7dd8458f251a2
SHA256a0e0e6e5d74b579c72952685924615c6361981a419bd2f3c602381c8d460b1d5
SHA512d44b91babbeff3d2595ea8d7dd2064058a1e1a3f862d28e43225d674d2ec2090fbcab1d7fbd6dba7471ab33a19f304edd639016abba6cba7ba5754a7d0c8c267
-
Filesize
2KB
MD509c9ed6b8ba1662393a92d572e97f157
SHA1739227048cfcc31b1f5c9eaa4e01c951c5568af2
SHA256ddce7bbc35302efeeb31b779dda6a62720e2b53748f0ded2e5e629f2a359919c
SHA51239cb5a4269b3fee435cb9a2a3a5e7c6986d5d6cb85bee1f1e277ca0e56892130dd6e72a9a3b57cb116ba0e8526fa9734933ac8674a43574318ffb1ba76a18b0e
-
Filesize
56KB
-
Filesize
9.9MB
-
Filesize
512KB
-
Filesize
64KB
-
Filesize
9.9MB